[kbelanger () logicon ca: [VulnWatch] vuln in login under solaris]

[hellnbak () nmrc org (hellNbak)]

On Thu, 5 Sep 2002, Len Rose wrote:

> This isn't a known issue. There is no such bug.

I haven't bothered looking into this at all but google (as posted by Kurt
Surfried to VulnDiscuss) reveals that it *MIGHT* be a known issue.

http://www.google.com/search?sourceid=navclient&q=%2Bsolaris+%2Bpassword+%2Blength

> This is about fake advisories being approved by moderators. If the
> only value of moderation is to weed out "other stuff" then the delays that
> vuln-watch incurs rather frequently aren't worth the cost overhead in time.

I find it funny that you have the nerve to complain about fake advisories
when the noise ratio on your very own list is quite high.  The point of
moderating VulnWatch and VulnDiscuss is to keep the noise ratio down.

Yeah, a fake advisory or two will get through but 99% of our subscribers
are intelligent enough to test things for themselves.  Its not like we, or
anyone for that matter says that the postings on the mailing list are 100%
accurate 100% of the time.

We try our best and sometimes our best is quickly browsing something
and ACKING it.  I ACKED this one and I can honestly say that I was
doing other things and didn't pay attention.  Perhaps if someone wants to
pay me to moderate a mailing list I can improve on my attention span.

Do you have some stats to back up the claims of delays?
VulnWatch has been consistantly faster than the other moderated
mailing lists out there -- at least when we were tracking it. So if you
have some stats I am truly interested to know as we kind of pride
ourselves in how responsive we have been.

> Referring back to the technical merits of that advisory in particular,
> something this blatant is readily checked in 5 minutes. Sun would never
> have something of this nature so badly broken. This is in fact, /bin/login
> and the bulk of that code is probably older than most people around today.

Maybe you carry a Solaris box with you everywhere you go, but some of us
don't and some of us log in to ACK messages from all over the place.  I
have a day job, if you want to volunteer to technically check every
advisory that is posted to VulnWatch before they get ACKED I welcome the
help and I'll get you a shell account immediately.


> A fake advisory of this nature tends to devalue the overall reliabiliy
> of a list's information especially if it's moderated.

What is your real motivation here Len?  You have never complained before
and there have been fake/wrong/whatever advisories in the past.  Just like
we have all seen trojaned exploits -- it comes with the territory.

Overall, I don't think we are that different -- we believe in full
disclosure and the open source sharing of information -- I just happen to
think that such a forum needs moderators to monitor out the garbage.  Back
when I moderated Win2KSecAdvice it was a one man show -- I could easily
let my opinion and bias get the better of me and in a few cases I did
(search the archives).  So, when VulnWatch/VulnDiscuss was created the
multiple moderator idea was born to prevent this from happening and to
help speed up the process of posts.

VulnWatch is a free service, we do our best.  If you don't like it you are
a.) free to start your own, b.) help us improve c.) volunteer to actually
make improvements, or d.) ignore us completely.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-